How switches work

To set off a security switch, define a NO.* switch profile for it. We can override a NO.* profile set at the queue sharing group level by defining a YES.* profile for a queue manager.

To set off a security switch, we need to define a NO.* switch profile for it. The existence of a NO.* profile means that security checks are not performed for that type of resource, unless you choose to override a queue sharing group level setting on a particular queue manager. This is described in Overriding queue sharing group level settings.

If your queue manager is not a member of a queue sharing group, we do not need to define any queue sharing group level profiles or any override profiles. However, we must remember to define these profiles if the queue manager joins a queue sharing group at a later date.

Each NO.* switch profile that IBM MQ detects turns off the checking for that type of resource. Switch profiles are activated during startup of the queue manager. If we change the switch profiles while any affected queue managers are running, you can get IBM MQ to recognize the changes by issuing the IBM MQ REFRESH SECURITY command.

Overriding queue sharing group level settings

We can override queue sharing group level security settings for a particular queue manager that is a member of that group. To perform queue manager checks on an individual queue manager that are not performed on other queue managers in the group, use the (qmgr-name.YES.*) switch profiles.

Conversely, if we do not want to perform a certain check on one particular queue manager within a queue sharing group, define a (qmgr-name.NO.*) profile for that particular resource type on the queue manager, and do not define a profile for the queue sharing group. ( IBM MQ only checks for a queue sharing group level profile if it does not find a queue manager level profile.)